Potential SSRF in proxies #2
Comments
|
1. It's a demo project and it's not deployed in the wild/production.
2. Since it was just for demoing the capabilities we tried to keep the code
as short as possible.
…On Thu, Mar 28, 2024 at 5:29 AM Malte ***@***.***> wrote:
Hi!
The supplied proxies:
-
https://github.com/greenido/backbone-bira/blob/master/test-page/prox.php
-
https://github.com/greenido/backbone-bira/blob/master/test-page/proxy.php
-
https://github.com/greenido/backbone-bira/blob/master/server/birra/war/test/prox.php
- …
don't filter the input. Therefore they can be used to request e.g.
localhost (including other services running on the machine) or other
unwanted targets. This is called SSRF:
https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
I am aware that this project is a demo project, but if I got the README
right, it seems like this is deployed in the wild as well?
Best
—
Reply to this email directly, view it on GitHub
<#2>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMWX4FJ6TVWSNLJY3A3QHYDY2P5IDAVCNFSM6AAAAABFMWBYTWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTGMJRHA2DCOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi!
The supplied proxies:
don't filter the input. Therefore they can be used to request e.g. localhost (including other services running on the machine) or other unwanted targets. This is called SSRF: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
I am aware that this project is a demo project, but if I got the README right, it seems like this is deployed in the wild as well?
Best
The text was updated successfully, but these errors were encountered: